TRUST AND SECURITY

Security for governed AI operations.

Security in ThinkFreely centers on control, visibility, access policy, data boundaries, and operational governance. The platform is designed to reduce unmanaged exposure. It is not framed as a guarantee of zero risk.

security hero

Why AI security is different

AI work often blends user prompts, files, model outputs, tool calls, memory, and external providers in a single request. A governed system has to manage who can do what, where data can go, and which activity can be reviewed. That is a traffic problem as much as an application problem, which is why control belongs at the layer above the models.

Access control

Access control should apply to users, groups, models, projects, skills, API keys, and tools, and it should be enforced in the backend rather than hidden in the interface.

  • role-based model access
  • group-level policy with per-user overrides
  • restricted projects and admin-managed capabilities
  • backend enforcement, so policy is more than a UI preference

Identity and authentication

Enterprise identity patterns align AI access with existing onboarding, offboarding, and security review.

  • OIDC-compatible authentication, including Microsoft Entra
  • domain-restricted registration
  • managed sessions and user identity propagation to tools
security inline 1 security overview

API key management

Managed API keys reduce provider-key sprawl. Keys are designed to be labeled, scoped, revocable, and tracked.

  • one-time display of the full key
  • hashed storage direction
  • enable and disable controls
  • usage tied to each key
security inline 2 access control

MCP governance

MCP tools need server registration, discovery, permissions, activation rules, and logging, so tool-connected AI does not become unmanaged system access. Access can be granted for a whole server or for individual tools.

Logging, audit, and instruction integrity

Security teams need records of model use, tool calls, policy events, blocked requests, and errors. Routing decisions can be logged and inspected. DriftHold manages authoritative instructions as structured, versioned, permissioned blocks rather than fragile prompt text, which supports reviewing how AI was instructed to behave across long or multi-step workflows.

Offboarding

When an employee leaves, identity-linked access can be removed without hunting through shared provider keys.

Sensitive tool

A finance MCP tool can be available only to finance users, and only inside approved workflows, with each use attributable.

Readiness, described honestly

Access control, identity, key management, usage tracking, and MCP governance are current strengths. The full privacy pipeline and complete internet-facing deployment hardening are designed for and in progress. We do not present direction as finished.

Security implementation notes

  • Start with the controls that reduce the largest unmanaged exposure, not every possible control.
  • Document who owns model approval, tool approval, user access, and incident review.
  • Review settings after real pilots, because usage reveals risks that policy workshops miss.

Operating checks for sensitive work

Key operating checks:

  • which data categories may appear in the workflow
  • which environments are approved for sensitive work
  • when redaction, local handling, or review is required
  • how exceptions are logged and escalated
  • whether users understand the boundary before they use AI

Reduce unmanaged exposure. Keep control of who can do what, and where data can go.

security inline 3 identity authentication

Think Freely.

Scroll to Top